[Remote exploit for slurp compiled with syslog support -- Raju] This is an RFC 1153 digest. (1 message) ----------------------------------------------------------------------
Message-ID: <[EMAIL PROTECTED]> From: zillion <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Subject: SRT Security Advisory (SRT2002-06-04-1011): slurp Date: Tue, 4 Jun 2002 12:45:33 -0400 (EDT) ====================================================================== Strategic Reconnaissance Team Security Advisory (SRT2002-06-04-1011) Topic : Slurp news retriever remote format string vulnerability Date : June 04, 2002 Credit : zillion[at]safemode.org Site : http://www.snosoft.com ====================================================================== .: Description: --------------- Slurp is an advanced passive NNTP client for UNIX. It will connect to a remote NNTP server and retrieve articles in a specified set of Usenet newsgroups that have arrived after a particular date (typically the last time it was invoked) for processing by your local news system or forwarding on via UUCP to another news system. It replaces nntpxfer from the NNTP 1.5.12 reference implementation and nntpget from the INN distribution. This application insecurely syslogs error messages retrieved from the NNTP server to which it is connected. The responsible code that causes this security issue: log_doit (int sysflag, const char *fmt, va_list ap) { ...snip snip... #ifdef SYSLOG if (!debug_flag) syslog (LOG_ERR, buf); ...snip snip... } The FreeBSD port of this application was compiled with syslog and is therefor affected. This format string can easily be triggered. To find out you have a vulnerable slurp, connect to this: perl -e 'print "200 Hello brother \n666 %x%x%x\n'" | nc -l -p 119 Then check /var/log/messages for something like: Jun 5 05:10:22 yada slurp[39926]: do_newnews: NNTP protocol error: got '666 bfbff4f8804bc1bbfbff51c' .: Impact: ---------- Malicious server owners can use this vulnerability to execute code on affected systems. .: Systems Affected: -------------------- Systems running slurp version 1.1.0 are known to be affected by this vulnerability. Cheers, zillion ------------------------------ End of this Digest ****************** -- Raju Mathur [EMAIL PROTECTED] http://kandalaya.org/ It is the mind that moves ================================================ To subscribe, send email to [EMAIL PROTECTED] with subscribe in subject header To unsubscribe, send email to [EMAIL PROTECTED] with unsubscribe in subject header Archives are available at http://www.mail-archive.com/ilugd%40wpaa.org =================================================
